Information About IP Source Guard

IP Source Guard is a per-interface traffic filter that permits IP traffic only when the IP address and MAC address of each packet matches the IP and MAC address bindings of dynamic or static IP source entries in the Dynamic Host Configuration Protocol (DHCP) snooping binding table.

You can enable IP Source Guard on Layer 2 interfaces that are not trusted by DHCP snooping. IP Source Guard supports interfaces that are configured to operate in access mode and trunk mode. When you initially enable IP Source Guard, all inbound IP traffic on the interface is blocked except for the following:

•DHCP packets, which DHCP snooping inspects and then forwards or drops, depending upon the results of inspecting the packet.

•IP traffic from static IP source entries that you have configured in the Cisco Nexus 1000V.

The device permits the IP traffic when DHCP snooping adds a binding table entry for the IP address and MAC address of an IP packet or when you have configured a static IP source entry.

The device drops IP packets when the IP address and MAC address of the packet do not have a binding table entry or a static IP source entry. For example, assume that the show ip dhcp snooping binding command displays the following binding table entry:

MacAddress IpAddress LeaseSec Type VLAN Interface

---------- ---------- --------- ------ ------- ---------

00:02:B3:3F:3B:99 10.5.5.2 6943 dhcp-snooping 10 vEthernet3

If the device receives an IP packet with an IP address of 10.5.5.2, IP Source Guard forward the packet only if the MAC address of the packet is 00:02:B3:3F:3B:99.

Prerequisites for IP Source Guard

IP Source Guard has the following prerequisites:

•You should be familiar with DHCP snooping before you configure IP Source Guard.

Guidelines and Limitations

IP Source Guard has the following configuration guidelines and limitations:

•IP Source Guard limits IP traffic on an interface to only those sources that have an IP-MAC address binding table entry or static IP source entry. When you first enable IP Source Guard on an interface, you may experience disruption in IP traffic until the hosts on the interface receive a new IP address from a DHCP server.

•IP Source Guard is dependent upon DHCP snooping to build and maintain the IP-MAC address binding table or upon manual maintenance of static IP source entries. For more information on DHCP snooping, see Chapter 12, "Configuring DHCP Snooping."

•For seamless IP Source Guard, Virtual Service Domain (VSD) service VM ports are trusted ports by default. If you configure these ports as untrusted, this setting is ignored.

Configuring IP Source Guard

Enabling or Disabling IP Source Guard on a Layer 2 Interface

Use this procedure to enable or disable IP Source Guard on a Layer 2 interface.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

•Ensure that the VSM and all VEMs are running a software release that supports this feature, Release 4.0(4)SV1(2) or higher, and that the VEM feature level has been updated (see the Cisco Nexus 1000V Software Upgrade Guide, Release 4.0(4)SV1(2)).

(Optional) Copies the running configuration to the startup configuration.

Adding or Removing a Static IP Source Entry

Use this procedure to add or remove a static IP source entry on a device.

BEFORE YOU BEGIN

Before beginning this procedure, you must know or do the following:

•Ensure that the VSM and all VEMs are running a software release that supports this feature, Release 4.0(4)SV1(2) or higher, and that the VEM feature level has been updated (see the Cisco Nexus 1000V Software Upgrade Guide, Release 4.0(4)SV1(2)).